Configuring user provisioning

Whether your deployment of i2 Analyze authenticates users through a registry or an identity provider, the basic procedure for custom user provisioning is the same. You must open the provisioning-configuration.json file, configure it, save it, and update the deployment.

Before you begin

To enable customization of user provisioning, you must change a setting in the ApolloServerSettingsMandatory.properties file. If you have not previously done so, set the ProvisioningCompatibilityMode property in that file to false and then redeploy Liberty.

Note: i2 Analyze sets the ProvisioningCompatibilityMode property to true during upgrade of deployments of version 4.4.3 and earlier that use federated user registries. In this mode, any member of the federated registry can log in to i2 Analyze, and the application only learns about users and groups when they authenticate for the first time.

Procedure

The provisioning configuration file controls how users from a user registry or an identity provider are provisioned in i2 Analyze.

  1. Open the configuration/live/provisioning-configuration.json file in a text editor.

  2. Use the information in The provisioning-configuration.json file to configure your custom provisioning settings.

  3. Save the provisioning configuration file.

  4. Update the deployment with your changes.

    The following steps deploy your changes without stopping the server by using a POST request to a REST endpoint.

    Note: To redeploy your changes by using only the deployment toolkit, see Redeploying Liberty. You must use the deployment toolkit if you're in a deployment with high availability, or you're deploying in your production environment.

    1. Update the configuration on the server:

      setup -t updateLiveConfiguration

    2. Update the running application through the reload endpoint:

      curl -i --cookie-jar cookie.txt -d j_username=user_name -d j_password=<password> http://<host_name>/<context_root>/j_security_check

curl -i --cookie cookie.txt -X POST http://<host_name>/<context_root>/api/v1/admin/config/reload

      Note: To reload the server through the reload endpoint, you must have administrative access to i2 Analyze. For more information, see Using the admin endpoints.

      If your custom provisioning configuration mistakenly results in no users having administrative access, you can fix the problem and redeploy i2 Analyze by using the deployment toolkit.

      Warning: The reload method updates the provisioning configuration without requiring a server restart, but any logged-in users might experience some disruption when you run it.